Preventing HTTP access to the servers of Amazon's Elastic Beanstalk

Question

We have a system running on Amazon's Beanstalk. We would like to limit access to the server to HTTPS only. When blocking HTTP on the environment settings - it prevents accessing through the beanstalk DNS. However, if someone knows the public IP (or name) of any of the servers - he can access them directly through HTTP. It seems that the LB forwards the requests to port 80, so we can not change the security group and remove port 80. Is there a simple way, to limit HTTP access to be only from the LB? Thanks

Answer 1

You have at least two options:

1 - set the Security Group Policy that allows access on port 80 from the Load Balancer only. IMPORTANT!!! Do not use the Load balancer IP in the instances' security group. Use the Load balancer security group ID instead.

2 - remove the public IPs from the instances. You should be good if all your EC2 instances have a private IPs and the ELB has a public IP.

Answer 2

Yes, you need http/80 to be open for health-check to work. The option for you is to redirect all the other requests (except the health check URL) to use https - This way though the port is open, you "dont serve any data in an insecure way".

Answer 3

You should be able to do this through EC2 Security Groups, which is an Elastic Beanstalk environment property.

By default this allows connections to port 80 from any IP address, but you could remove that rule or replace it with your own IP address (for testing purposes).

Failing that, you could reroute all HTTP traffic to HTTPS at the application level or simply test the CGI property *server_port_secure* and refuse to answer.